How Ethical Hacking Can Make DOD’s Weapon Systems More Secure

In 2018, the Government Accountability Office released a report that revealed cyber vulnerabilities in nearly all weapon systems under development at the Defense Department. During the study, penetration testers were tapped to play the role of adversary — using their ethical hacking expertise to expose even the simplest of vulnerabilities, including weak passwords. For many defense leaders, this was a wake-up call. It was time to reprioritize weapon system testing.

Today, as the Defense Department looks to protect and preserve national security, it is beginning to recognize a need to mitigate invisible vulnerabilities within existing systems and invest in tools and solutions that can enable weapon system cybersecurity.

This paradigm shift also comes after a number of pushes from the private and public sector to invest in this type of cybersecurity. In July 2020, the Cyberspace Solarium Commission released several legislative proposals aimed at empowering DOD to more effectively defend the nation against cyberattacks. Among these recommendations: evaluate cyber vulnerabilities of major weapon systems, with the aim to share lessons learned from these assessments in order to continue improving nuclear command and control system resiliency.

The Case for Crowdsourcing Cybersecurity 

To get there, DOD is partnering with security researchers who can help shed light on these vulnerabilities. Known as “pentesters,” or “ethical hackers,” these professionals are paving the way for a future where weapon systems are more secure. 

This approach was backed in the Department of Defense Cyber Strategy, which outlined a plan to identify crowdsourcing opportunities, such as hack-a-thons and bug bounties, in order to identify and mitigate vulnerabilities more effectively. The benefit of crowdsourced security testing is two-fold. First, it grants defense leaders higher visibility into their testing from an adversarial perspective. Second, it aims to add scale and efficiency by narrowing the cybersecurity workforce gap and leveraging the skills and expertise outside of DOD. In fact, one telling report from Cybersecurity Ventures predicts that there will be 3.5 million unfilled cybersecurity jobs globally by 2021. 

Moreover, in 2019 “the Department of Test and Evaluation highlighted a serious shortage of pentesters within the DoD and burnout,” adds Mark Kuhr, chief technology officer and co-founder at Synack, a technology company that aims to fill this gap “by providing world-class talent in crowdsourced pentesting to help augment internal teams.” 

An Alliance of Humans and Machines

In order for this crowdsourced security model to scale at the pace of systems development and digital transformation, humans and machines must work together and augment each other. Artificial intelligence excels at conducting repetitive tasks at scale, whereas human strengths lie in creative tasks and business logic. Working together, humans and machines cover all the bases necessary for successful cybersecurity testing. 

Kuhr and his colleagues at Synack work directly with DOD to provide managed crowdsourced penetration testing. Unlike bug bounty marketplaces, Synack’s secure platform combines the intelligence of vetted researchers and AI/ML to investigate and respond to vulnerabilities in a controlled way. The “Synack Red Team” (SRT) is composed of security researchers who undergo a complex vetting process that assesses skill and trust, with a small percentage of applicants accepted into the program. 

The SRT also leverages AI-enabled proprietary scanning technology to trace suspected vulnerabilities and deliver high quality, actionable insights to the end user. 

“Synack brings a human-centered approach to security testing to mimic what a real attack looks like while providing smart technology to help testing scale,” Kuhr explained. 

For example, Kuhr and his team recently combined the capabilities of human and artificial intelligence through a collaboration with the Defense Advanced Research Projects Agency, the organization at DOD responsible for testing and developing emerging technologies for military use. The project is a public-private partnership between DARPA, Defense Digital Service and Synack. Their goal: develop hardware security architectures that protect systems against hardware vulnerabilities exploited through software. As part of this mission, DARPA engaged Synack’s crowdsourced community of vetted researchers to test the implementation. 

“Synack’s platform and community of ethical hackers provide us with the resources needed to thoroughly test and vet our defenses,” DARPA Program Manager Keith Rebello said in a recent Synack blog post. “Working with Synack and DDS provides us with proven expertise and confidence in this effort’s success.”

Ethical Hacking Helps DOD Stay Ahead of the Adversary 

The role of ethical hacking programs like Synack’s have become even more valuable today, as DOD must protect against increased threats from nation state actors. 

Take complex systems used in military aircraft, for instance. "There are millions of lines of code that are in all of our aircraft and if there's one of them that's flawed, then a country that can't build a fighter to shoot down that aircraft might take it out with just a few keystrokes,” Will Roper, a top U.S. Air Force acquisitions executive told The Washington Post. 

Instead, tapping the ethical hacking workforce can help DOD fix problems with weapon systems before it’s too late. In 2019, DOD granted Synack’s team of researchers access to a flight system used in F-15 fighter jets. The testers discovered glitches in the system that could be exploited to shut down a $20K device used to collect data from video cameras and sensors. 

Thanks to these discoveries, the Defense Department is beginning to think about threats in new ways. Moreover, defense leaders are warming up to the idea that a crowdsourced approach to weapon systems security is the way to go. 

"We want to bring this community to bear on real weapons systems and real airplanes,” Roper said to The Washington Post. “And if they have vulnerabilities, it would be best to find them before we go into conflict.”